System and Method for Hierarchical Visualization of Data

ABSTRACT

A system and method for monitoring IP flows in a network is disclosed. A plurality of monitor probes are coupled to links in the network, the monitor probes capture data packets from the links and determine protocols in OSI Layers 3, 4, and 5/7 of the packets. A user interface receives user inputs selecting the links and protocols for analysis. A display is coupled to the monitor probes and the user interface. The display and user interface receiving a user selection of links for analysis and display a first protocol analysis to the user, the first protocol analysis display comprising a pie chart representing all OSI Layer 3 protocols captured on the selected links, a pie chart representing all OSI Layer 4 protocols captured on the selected links, and a pie chart representing all OSI Layer 5/7 protocols captured on the selected links.

TECHNICAL FIELD

Embodiments are directed, in general, to displaying network data to users and, more specifically, to displaying network data in a hierarchical format.

BACKGROUND

Fixed and wireless telecommunications networks comprise many network nodes interlinked by high speed interfaces. The interfaces transport control plane and user plane data packets across the telecommunications networks. Typical network interfaces may be 10GE links supporting thousands of subscriber sessions, wherein each session uses one of many different protocols. Network operators may use monitoring equipment to analyze the network's performance. The monitoring equipment captures data packets from the links and presents the data to a user. The volume of data captured from the links is enormous and includes information for each of the OSI (Open Systems Interconnection) layers of the protocols used in thousands of sessions.

Presenting the data captured from network links to users in a manner that is understandable and useful is difficult to achieve because there is simply too much data to display to the user. The amount of data can overwhelm the user and important data becomes buried.

SUMMARY

Visualizing hierarchical data in a way that does not overwhelm a user is a problem that needs to be solved. In many cases, there is simply too much data to display to the user, and what is important becomes buried.

Traditionally, display of hierarchical data is shown in some kind of tabular or tree format. Displaying hierarchical data in this way can overwhelm because there is too much data to display to the user, and what is important becomes buried. Embodiments of the present invention are directed to a new way of displaying hierarchical data that is based on the concept of progressive disclosure. The tree concept has been taken and expanded upon, using traditional pie charts to represent each level in a hierarchical data structure.

At the root node of the hierarchical data, the pie chart will contain at most N+1 slices in which the top N categories are displayed, and the last (N+1) slice represents one or more categories that are outside of the “top N”. This segment is known as the “other” category and is represented as the summary of these remaining categories.

Subsequent levels or cross-sections of the hierarchical data are represented as additional pie charts. The initial representation given to these pie charts reflects a summary of categories present at that level regardless of parent node. The subsequent levels also contain the N+1 segmenting concept explained above.

Embodiments of the invention comprise the ability to select (e.g. “click” on) a slice in each pie chart to select the represented protocol segment. This selection changes the data being shown by the pie charts to reflect data from deeper levels of the hierarchical structure. The selection acts as a filter to the lower level data. On selection, the selected slice is highlighted or shown in an exploded view on the display to indicate selection. Selecting a segment a second time acts to deselect the protocol. The lowest level of pie chart does not include this filter capability. Selection at this level can be interpreted as a drilldown to other applications or pages of data.

BRIEF DESCRIPTION OF THE DRAWINGS

Having thus described the system and method in general terms, reference will now be made to the accompanying drawings, which are not necessarily drawn to scale, and wherein:

FIG. 1 illustrates an exemplary data network;

FIG. 2 illustrates an exemplary display according to embodiments of the invention;

FIG. 3 illustrates another exemplary display according to embodiments of the invention; and

FIG. 4 illustrates another exemplary display according to embodiments of the invention.

DETAILED DESCRIPTION

FIG. 1 illustrates an exemplary data network 100 in which users at devices 101-103 access data or applications on servers 104-107 via nodes 108-110 across links 111-112. FIG. 1 is a high-level representation of a data network for discussion purposes only and is not intended to limit the inventions disclosed herein to any particular network or protocol. Devices 101-103 may be computers, mobile devices, user equipment (UE), or client applications, for example. Nodes 108-110 and links 111-112 may represent a single service provider's network or may represent components of multiple networks. For example, node 108 may be part of a wireless or cellular network, such as a wireless access point, cellular system base station or node B, and/or part of an internet service provider's (ISP) network, such as a router or modem. Devices 101-103 access node 108 via wireless or wireline connections 114-116. Nodes 109-110 may be components in an intranet, Internet, or public data network, such as a router or gateway. Nodes 109-110 may also be components in a 3G or 4G wireless network, such as a Serving GPRS Support Node (SGSN), Gateway GPRS Support Node (GGSN) or Border Gateway in a General Packet Radio Service (GPRS) network, Packet Data Serving Node (PDSN) in a CDMA2000 network, or a Mobile Management Entity (MME) in a Long Term Evolution/Service Architecture Evolution (LTE/SAE) network, for example, or any other data network component.

Many packets traverse links 111-112 and nodes 108-110 as data is exchanged between devices 101-103 and servers 104-107. These packets may represent many different sessions and protocols. For example, if device 103 is used for a voice or video call, then device 103 may exchange Voice over Internet Protocol (VoIP) or Session Initiation Protocol (SIP) data packets with SIP/VoIP server 104 using Real-Time Transport Protocol (RTP). If device 102 is used to send or retrieve email, device 102 may exchange Internet Message Access Protocol (IMAP), Post Office Protocol 3 Protocol (POP3), or Simple Mail Transfer Protocol (SMTP) messages with email server 106. If device 101 is used to down load or stream video, device 101 may use Real Time Streaming Protocol (RTSP) to establish and control media sessions with video server 105. Alternatively, the user at device 101 may access a number of websites using Hypertext Transfer Protocol (HTTP) to exchange data packets with web server 107. It will be understood that packets exchanged between devices 101-103 and servers 104-107 may conform to numerous other protocols now known or later developed. In an exemplary system, approximately one percent of the packets traversing network 100 carry control data, such as information for setting-up, managing or tearing-down calls or sessions between devices 101-103 and servers 104-107. The other ninety-nine percent of the packets carry user data, such as actual voice, video, email or information content to and from devices 101-103.

Network monitoring system 113 may be used to monitor the performance of network 100. Monitoring system 113 captures packets that are transported across links 111-112 and any other network links or connections. In one embodiment, packet capture devices are non-intrusively coupled to network links 111-112 to capture substantially all of the packets transmitted across the links. Although only two links 111-112 are shown in FIG. 1, it will be understood that in an actual network there may be dozens or hundreds of physical, logical or virtual connections and links between network nodes. In one embodiment, network monitoring system 113 is coupled to all or a high percentage of these links. In other embodiments, network monitoring system 113 may be coupled only to a portion of network 100, such as only to links associated with a particular service provider. The packet capture devices may be part of network monitoring system 113, such as a line interface card, or may be separate components that are remotely coupled to network monitoring system 113 from different locations.

Monitoring system 113 preferably comprises one or more processors running one or more software applications that collect, correlate and analyze media and signaling data packets from network 100. Monitoring system 113 may incorporate protocol analyzer, session analyzer, and/or traffic analyzer functionality that provides OSI (Open Systems Interconnection) Layer 2 to Layer 7 troubleshooting by characterizing IP traffic by links, nodes, applications and servers on network 100. Such functionality is provided, for example, by the Iris Analyzer toolset available from Tektronix, Inc. The packet capture devices coupling network monitoring system 113 to links 111-112 may be high-speed, high-density 10GE probes that are optimized to handle high bandwidth IP traffic, such as the GeoProbe G10 available from Tektronix, Inc. A service provider or network operator may access data from monitoring system 113 via user interface station 117 having a display or graphical user interface 118, such as the IrisView configurable software framework that provides a single, integrated platform for all applications, including feeds to customer experience management systems and operation support system (OSS) and business support system (BSS) applications, which is also available from Tektronix, Inc. Monitoring system 113 may further comprise internal or external memory 119 for storing captured data packets, user session data, call records and configuration information. Monitoring system 113 may capture and correlate the packets associated specific data sessions on links 111-112. In one embodiment, related packets can be correlated using a 5-tuple association mechanism. The 5-tuple association process uses an IP correlation key that consists of 5 parts—server IP address, client IP address, source port, destination port, and Layer 4 Protocol (TCP or UDP or SCTP). The related packets can be combined into a record for a particular flow, session or call on network 100.

As the capability of network 100 increases toward 10GE or higher, each link 111-112 supports more users' data flows and sessions. In one embodiment, links 111-112 are 10GE interfaces supporting thousands of users. Many of the subscribers may have multiple active sessions, which results in thousands of active flows on link 111-112 at any time where each flow includes many packets. With such a very large volume of packets, it becomes difficult for a service provider or network operator to analyze all the traffic across network 100 and to identify problem nodes or links.

Traditionally, this kind of data would be displayed in a tabular or tree format. However, such formats do not provide users with easily and quickly understood information and do not allow for interaction with the data. To solve this problem, embodiments of the present invention display hierarchical network data in a format based on the concept of progressive disclosure in which pie charts represent multiple levels of data.

FIG. 2 illustrates an exemplary display 200 according to one embodiment of the invention. In one embodiment, display 200 may be presented to a user, for example, via user interface 118 (FIG. 1). Display 200 comprises a plurality of pie charts 201-203 which represent information about different OSI layers of captured data packets. The information shown in display 200 may correspond to packets captured from all of the links in a network, from a selected group of links, or from a specific link. Display 200 can also be used to present hierarchical data for any network element, such as Virtual Local Area Network (VLAN), server, or network node, as well for traffic on network links.

Pie chart 201 represents Layer 3 (Network Layer) information for all of the captured packets. Pie chart 201 is divided into “slices” or segments 204-205, which correspond to the Internet Protocol versions of the packets. The relative size of the slices in pie charts 201-203 correspond to the percentage of that type of data packet. For example, segment 204 corresponds to IPv4 packets, and segment 205 corresponds to IPv6 packets. Segment is drawn to have a size representing 77% of pie chart 201. Segment 204 may also be labeled with the type of information represented and a numerical percentage value, such as “IPv4” “77%” (206), or a total number of corresponding IPv4 packets (not shown). The rest of the network packets (23% of the total packets) are IPv6 packets. These are displayed as segment 205, which is labeled accordingly (207).

Pie chart 202 corresponds to the Layer 4 (Transport Layer) information for all of the packets. The captured packets are either TCP (Transmission Control Protocol) or UDP (Transmission Control Protocol) Internet Protocol traffic. In the illustrated example, 92% of the packets are TCP and 8% are UDP, which percentages are shown by the size of segments 208 and 209 and by the corresponding text labels.

Pie chart 203 corresponds to the Layer 5/7 (Session Layer/Application Layer) information for all of the captured packets. In the illustrated example, the captured packets correspond to a number of different Layer 5/7 protocols. Most of these protocols are represented individually in pie chart 203 with a designated segment and corresponding text label. However, because there may be many different Layer 5/7 protocols in use on the network at any one time, only the top “N” protocols are displayed individually. The number N may be a preset value or may be configured by the user. The pie chart will contain at most N+1 slices. The top N categories or protocols are displayed as pie chart slices 1 to N. The N+1 slice represents the remaining categories or protocols that had fewer packets per category than the top N categories. The N+1 slice is labeled as an “Other” category and its relative size corresponds to the sum or the packets in the remaining categories. The use of the “other” category to display only the top N categories or protocols for a particular layer may be applied to the Layer 3 and Layer 4 displays in a similar manner.

In the illustrated example, a number of well known Layer 5/7 protocols are displayed, such as HTTP, NFS (Network File System), DNS (Domain Name Service), BGP (Border Gateway Protocol), AURP (AppleTalk Update-Based Routing Protocol), and AIM (AOL Instant Messaging), and several generic protocol labels P1-P4. It will be understood that these protocols—and the Layer 3 and Layer 4 protocols—are used in FIG. 2 for illustrative purposes only and are not intended to limit the present invention to any particular protocols or to require any specific protocols.

The user can select any segment in pie charts 201-203 for further analysis of the network data. For example, a mouse or other pointing device may be used to position cursor 210 over IPv4 segment 204 on display 200. The user then “clicks” on segment 204 to select IPv4 data for further analysis, which corresponds to drilling down into the next layer of data. Subsequent levels of data are represented as additional pie charts. The initial representation given to these subsequent pie charts reflect the summary of categories at the next level regardless of data in the parent node. The subsequent levels also use the N+1 concept explained above, as appropriate.

FIG. 3 illustrates another exemplary display 300 according to one embodiment of the invention. Display 300 is the result of selecting IPv4 segment 204 on display 200 (FIG. 2) and comprises a plurality of pie charts 301-303, which represent information associated with different OSI layers in captured IPv4 data packets only. The information shown in display 300 may correspond to packets captured from all of the links in a network, from a selected group of links, from a specific link, or from a network element or node; however, this data is limited to packets that use IPv4 in Layer 3.

Pie chart 301 is similar to pie chart 201 and represents Layer 3 (Network Layer) information; however, in pie chart 301, IPv4 segment 304 is highlighted to show that this segment has been selected for further analysis. The total group of captured packets for the selected link or group of links still comprises 77% IPv4 packets and 23% IPv6 packets as illustrated in pie charts 201 and 301. Changes from display 200 to display 300 are more apparent in pie charts 302 and 303.

Pie chart 302—like pie chart 202—corresponds to Layer 4 (Transport Layer) information. The captured packets are either TCP (Transmission Control Protocol) or UDP (Transmission Control Protocol) Internet Protocol traffic. However, in pie chart 302, only packets that have IPv4 Layer 3 packets (i.e. the selected protocol in pie chart 301) are represented. In the illustrated example, 89% of the IPv4 packets use TCP and 8% of the IPv4 packets use UDP. These numbers are specific only to the selected IPv4 segment 304. These percentages in chart 302 differ from the percentages in chart 202 because only IPv4 packets are represented in FIG. 3, while FIG. 2 represented all captured packets without regard to a specific network layer (Layer 3) protocol.

Pie chart 303—like pie chart 203—corresponds to Layer 5/7 (Session Layer/Application Layer) information. The captured packets correspond to a number of different Layer 5/7 protocols. However, in pie chart 303, only IPv4 packets are shown. Comparing pie chart 303 to chart 203, it is apparent that protocol 4 (p4) is not displayed. This means that the p4 protocol is either not carried on the IPv4 packets (or at least not carried on the captured packets). The percentages of packets for each Layer 5/7 protocol are recalculated and displayed in pie chart 303 to represent only IPv4 packets.

Alternatively, the user may have selected segment 205 in display 200 (FIG. 2) to drill down into the IPv6 packets. If segment 205 had been selected, then the pie charts for Layer 4 and Layer 5/7 (302, 303) would display only IPv6 packets.

The user can select any segment in pie charts 301-303 for further analysis of the network data. For example, a mouse or other pointing device may be used to position cursor 210 over TCP segment 306 on display 200. The user then “clicks” on segment 306 to select TCP data for further analysis, which corresponds to drilling down into a further layer of data.

FIG. 4 illustrates another exemplary display 400 according to one embodiment of the invention. Display 400 is the result of selecting TCP segment 306 on display 300 (FIG. 3) and comprises a plurality of pie charts 401-403, which represent information associated with different OSI layers in captured IPv4+TCP data packets only. The information shown in display 400 may correspond to packets captured from all of the links in a network, from a selected group of links, or from a specific link; however, this data is limited to packets that use IPv4 in Layer 3 and TCP in Layer 4

Pie chart 401 is similar to pie chart 301 and represents Layer 3 (Network Layer) information. IPv4 segment 304 is highlighted to show that this segment has been selected for further analysis. The proportions of segments 304 and 305 are the same as shown in pie chart 301 (FIG. 3) because no further filtering has been selected.

Pie chart 402—like pie charts 202 and 302—corresponds to Layer 4 (Transport Layer) information. Segment 404 has been highlighted to show that this segment has been selected for further analysis. Display 400 shows that 89% of the IPv4 packets use TCP and 8% of the IPv4 packets use UDP. These numbers are the same as pie chart 302 because they are specific to the selected IPv4 segment 304 only, just as shown in pie chart 302.

Pie chart 403—like pie charts 203 and 303—corresponds to Layer 5/7 (Session Layer/Application Layer) information. The captured packets correspond to a number of different Layer 5/7 protocols. However, in pie chart 403, only packets using both IPv4 and TCP are shown. If pie chart 403 is compared to charts 203 and 303, it is apparent that several protocols are not displayed. For example, the NFS, DNS, p1, p2, and p3 protocols are not shown. These means that these protocols are either not carried on the IPv4/TCP packets (or at least not carried on this group of captured packets). The percentages of packets for each Layer 5/7 protocol are recalculated and displayed in pie chart 403 to represent only IPv4/TCP packets.

Pie chart 403 does not provide the filter capability to create a new group of pie charts. If the user selects segments of pie chart 403 (or pie charts 203,303) then the monitoring equipment will interpret the selection as a drilldown to other data pages or applications that are specific to the Layer 5/7 application, such a list or summary of packets associated with the application.

The user is not limited to selecting segments of the pie chart displays in sequential order. Although the examples above illustrated a user selecting a Layer 3 segment, then a Layer 4 segment, and then a Layer 5/7 segment, it will be understood by those of skill in the art that the user may select any segment in any of the pie chart layers at any time. Accordingly, in alternative embodiments, the user may select any segment in pie charts 201-203 (FIG. 2) in any order to drill-down into the underlying data.

Although the examples herein refer to data packets or packet counts in describing the hierarchical display, it will be understood by those of skill in the art that the hierarchical display can be applied to any measurement in a network or system that is counter-based. The data shown on the charts could also represent other key performance indicators (KPI), bytes, octets, or the like.

Many modifications and other embodiments of the invention will come to mind to one skilled in the art to which this invention pertains having the benefit of the teachings presented in the foregoing descriptions, and the associated drawings. Therefore, it is to be understood that the invention is not to be limited to the specific embodiments disclosed. Although specific terms are employed herein, they are used in a generic and descriptive sense only and not for purposes of limitation. 

1-19. (canceled)
 20. A network monitoring system, comprising: a processor; and a memory coupled to the processor, the memory configured to store program instructions that, upon execution by the processor, cause the network monitoring system to: provide a first graphical representation, the first graphical representation having a first plurality of portions, each of the first plurality of portions having a size proportional to a characteristic of data packets belonging to a corresponding one of a first plurality of communication protocols of a first layer of the Open Systems Interconnection (OSI) model, the data packets having been captured from one or more links in a telecommunications network; receive an indication of a selected one of the first plurality of portions; and provide a second graphical representation, the second graphical representation having a second plurality of portions, each of the second plurality of portions having a size proportional to a characteristic of a subset of the data packets corresponding to the selected one of the first plurality of portions and belonging to a corresponding one of a second plurality of communication protocols of a second layer of the OSI model.
 21. The network monitoring system of claim 20, wherein the first and second graphical representations include pie charts, and wherein the first and second pluralities of portions include segments of the first and second pie charts, respectively.
 22. The network monitoring system of claim 20, wherein the characteristic is an amount of data packets.
 23. The network monitoring system of claim 20, wherein the characteristic is a Key Performance Indicator (KPI).
 24. The network monitoring system of claim 20, wherein at least one of the first plurality of portions has a size proportional to a characteristic of data packets belonging to two or more of the first plurality of communication protocols.
 25. The network monitoring system of claim 24, wherein the program instructions, upon execution by the processor, further cause the network monitoring system to receive an indication of a selected number of the first plurality of portions, the selected number smaller than a total number of protocols in the first plurality of communications protocols, the selected number determining how many of the two or more of the plurality of communication protocols is represented in the at least one of the plurality of portions.
 26. The network monitoring system of claim 20, wherein the first layer is a network layer, and wherein the second layer is a transport layer.
 27. The network monitoring system of claim 26, wherein the first plurality communication protocols includes an Internet Protocol (IP) version 6 (v6) and IPv4 protocol, and wherein the second plurality of communication protocols includes a Transmission Control Protocol (TCP) and a User Datagram Protocol (UDP).
 28. The network monitoring system of claim 20, wherein the first layer is a transport layer, and wherein the second layer is selected from the group consisting of: a session layer, and an application layer.
 29. The network monitoring system of claim 28, wherein the first plurality of communication protocols includes a Transmission Control Protocol (TCP) and a User Datagram Protocol (UDP), and wherein the second plurality of communication protocols includes one or more protocols selected from the group consisting of: Hypertext Transfer Protocol (HTTP), Network File System (NFS), and Domain Name System (DNS).
 30. A method, comprising: performing, by network monitoring system, providing a first graphical representation, the first graphical representation having a first plurality of portions, each of the first plurality of portions having a size proportional to a characteristic of data packets belonging to a corresponding one of a first plurality of communication protocols of a first layer of the Open Systems Interconnection (OSI) model, the data packets having been captured from one or more links in a telecommunications network; receiving an indication of a selected one of the first plurality of portions; and providing a second graphical representation, the second graphical representation having a second plurality of portions, each of the second plurality of portions having a size proportional to a characteristic of a subset of the data packets corresponding to the selected one of the first plurality of portions and belonging to a corresponding one of a second plurality of communication protocols of a second layer of the OSI model.
 31. The method of claim 30, wherein the first and second graphical representations include pie charts, and wherein the first and second pluralities of portions include segments of the first and second pie charts, respectively.
 32. The method of claim 30, wherein the characteristic is at least one of: an amount of data packets or a Key Performance Indicator (KPI).
 33. The method of claim 30, wherein at least one of the first plurality of portions has a size proportional to a characteristic of data packets belonging to two or more of the first plurality of communication protocols.
 34. The method of claim 30, further comprising: performing, by the network monitoring system, receiving an indication of a selected number of the first plurality of portions, the selected number smaller than a total number of protocols in the first plurality of communications protocols, the selected number determining how many of the two or more of the plurality of communication protocols is represented in the at least one of the plurality of portions.
 35. The method of claim 30, wherein the first layer is a network layer, and wherein the second layer is a transport layer.
 36. The method of claim 30, wherein the first layer is a transport layer, and wherein the second layer is selected from the group consisting of: a session layer, and an application layer.
 37. A non-transitory computer-readable storage medium having program instructions stored thereof that, upon execution by a network monitoring system, cause the network monitoring system to: provide a first graphical representation, the first graphical representation having a first plurality of portions, each of the first plurality of portions having a size proportional to a characteristic of data packets belonging to a corresponding one of a first plurality of communication protocols of a first layer of the Open Systems Interconnection (OSI) model, the data packets having been captured from one or more links in a telecommunications network; receive an indication of a selected one of the first plurality of portions; and provide a second graphical representation, the second graphical representation having a second plurality of portions, each of the second plurality of portions having a size proportional to a characteristic of a subset of the data packets corresponding to the selected one of the first plurality of portions and belonging to a corresponding one of a second plurality of communication protocols of a second layer of the OSI model.
 38. The non-transitory computer-readable storage medium of claim 37, wherein the first and second graphical representations include pie charts, wherein the first and second pluralities of portions include segments of the first and second pie charts, respectively, and wherein the characteristic is at least one of: an amount of data packets or a Key Performance Indicator (KPI).
 39. The non-transitory computer-readable storage medium of claim 37, wherein at least one of the first plurality of portions has a size proportional to a characteristic of data packets belonging to two or more of the first plurality of communication protocols, and wherein the program instructions, upon execution by the processor, further cause the network monitoring system to: receive an indication of a selected number of the first plurality of portions, the selected number smaller than a total number of protocols in the first plurality of communications protocols, the selected number determining how many of the two or more of the plurality of communication protocols is represented in the at least one of the plurality of portions. 